Does Heartbleed affect Tresorit?
“Researchers have discovered an extremely critical defect in the cryptographic software library an estimated two-thirds of Web servers use to identify themselves to end users and prevent the eavesdropping of passwords, banking credentials, and other sensitive data.
The warning about the bug in OpenSSL coincided with the release of version 1.0.1g of the open-source program, which is the default cryptographic library used in the Apache and nginx Web server applications, as well as a wide variety of operating systems and e-mail and instant-messaging clients. The bug, which has resided in production versions of OpenSSL for more than two years, could make it possible for people to recover the private encryption key at the heart of the digital certificates used to authenticate Internet servers and to encrypt data traveling between them and end users. Attacks leave no traces in server logs, so there’s no way of knowing if the bug has been actively exploited. Still, the risk is extraordinary, given the ability to disclose keys, passwords, and other credentials that could be used in future compromises.”
IS TRESORIT AFFECTED BY THE OPENSSL BUG?
The short answer is: no. If you are a crypto-lover you may be interested in more details, please read on!
We apply a so called “belts-and-suspenders” principle: everything is double secured. The bug which was revealed and fixed with the latest OpenSSL release, could not (statistically speaking) be exploited in Tresorit because it was “designed” to limit the exposure of sensitive information. The fact that we create separate keys for every files version in Tresorit makes it difficult, almost impossible, for an attacker to breach Tresorit’s security.
As Tresorit’s key management is created to make sure only those who are allowed have access to the secure content. Once a user modifies a document it is automatically re-encrypted with a new key. Additionally, the old key for the changed document is replaced with a new key in the directory that stores the document; the directory is then re-encrypted with a new key. Once a file or directory is re-encrypted with a new key, the next user accessing it can use the recently created key. Learn more about Tresorit key management in our White Paper.
Tresorit is built on the assumption that servers cannot be trusted: user content is safe, even if our infrastructure suffers a serious attack. Also Tresorit apps communicate exclusively with the Tresorit servers, there are no third party actors in the process. So as Tresorit users don’t send any information to third party actors (who could be malicious attackers) it frees us from the other possible way the OpenSSL bug could be exploited.
+1: If Tresorit was vulnerable to such attacks, hackers would have exploited it: we have had a $25,000 hacking bounty on our head since April 2013. Yet, Tresorit is still not hacked.
The quote is from “Critical crypto bug in OpenSSL opens two-thirds of the Web to eavesdropping“, originally appeared at arstechnica.com. Follow the links for the whole story.
Prior to the disclosure of this bug, and since, we have diligently monitored and tested our systems for signs of any vulnerability.
Overall our system remains secure, as in our ongoing testing, we have identified only one, highly unlikely potential client-side vulnerability, which was fixed when we updated our version of OpenSSL immediately after the news about Heartbleed surfaced. The probability of you having been exposed is extremely small, as in order to take advantage of it, the attacker would have had to have complete access to the local network you were connected to.
As we have previously reported we don’t apply any form of OpenSSL on our servers, therefore we are still 100% sure there has never been a server side threat from Heartbleed, which was the problem that 2/3 of websites and browser-based services like Dropbox and Box were exposed to.
As noted above, we had already updated all clients to the new OpenSSL version as a precaution, way before discovering this unlikely attack model. If you have logged in any time in the past weeks since this post came out, your client must have updated automatically.
Please also remember that though Heartbleed does not affect Tresorit, in case you used the same password in Tresorit as on an affected site, we encourage you to change your password. It’s common practice for hackers to try logging in to other services with a password they stole from one of your accounts, as reusing passwords is a common (but as Heartbleed shows, unsafe) practice.